Skillv0.1.0

ClawScan security

Drill Sergeant Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 11, 2026, 11:45 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (monitoring team channel discipline) aligns with its content, but the runtime instructions are vague about what message sources to collect and give the agent broad discretion — this could lead to unintended access or exposure of sensitive messages unless you control what connectors/permissions are used.
Guidance: This skill appears to do what it says, but its runtime instructions are intentionally vague about which message sources to collect. Before installing or enabling it: 1) Confirm exactly which connectors/permissions the agent will use to read messages (Slack, Teams, email, task trackers) and restrict the skill to only those approved channels. 2) Require explicit scope/allowlist in SKILL.md (time window, channel list, message types) and automated redaction rules so outputs cannot include PII, tokens, or internal IDs. 3) Run the skill in a limited sandbox or with read-only, narrow-scoped credentials first and audit the outputs for accidental data leakage. 4) If you need stronger guarantees, ask the author to add explicit collection rules and built-in redaction/filtering before broad deployment.

Review Dimensions

Purpose & Capability: noteName/description match the included artifacts (checklists, templates, operating rules). The skill is instruction-only and does not declare unrelated credentials or binaries, which is proportionate. However, the skill implicitly requires access to team messages/tasks (connectors or platform permissions) but does not document or restrict which sources are allowed — this is reasonable for a discipline tool but should be explicit.
Instruction Scope: concernThe SKILL.md tells the agent to 'Collect message and task signals from allowed sources' but does not define or limit those sources. That vagueness grants the agent broad discretion to fetch message history or other context from whatever connectors it has access to, increasing risk of reading sensitive content. The operating rules advise not to include secrets/identifiers in outputs, but there is no enforcement or concrete filtering/redaction instruction, nor any limitation on collection scope or retention.
Install Mechanism: okInstruction-only skill with no install script, no code files to execute, and no network downloads — minimal install risk. Nothing in the package performs arbitrary code installation.
Credentials: noteThe package requests no environment variables or credentials, which is consistent with its claim of being 'vendor-neutral' and publish-safe. However, practical use requires the agent/platform to have connectors to message sources; the skill does not document required permissions or connectors. Confirming which external service credentials (if any) will be used is necessary before deployment.
Persistence & Privilege: okFlags show default invocation (not always: true) and no claims of modifying other skills or agent-wide settings. The skill does not request persistent system presence or elevated privileges in the package.